upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-04-15 22:11:17 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 25

fix(files_sharing): block downloading if needed

Browse source 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
This commit is contained in:
Ferdinand Thiessen 2025-02-18 11:58:12 +01:00
parent 8886f367e4
commit c19ce403f3
No known key found for this signature in database
GPG key ID: 45FAE7268762B400
2 changed files with 34 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
apps/files_sharing/lib/Controller/ShareController.php
View file

@ -359,6 +359,11 @@ class ShareController extends AuthPublicShareController {
return new DataResponse('Share has no read permission');
}
$attributes = $share->getAttributes();
if ($attributes?->getAttribute('permissions', 'download') === false) {
return new DataResponse('Share has no download permission');
}
if (!$this->validateShare($share)) {
throw new NotFoundException();
}

29
apps/files_sharing/tests/Controller/ShareControllerTest.php
View file

@ -42,6 +42,7 @@ use OCP\IUserManager;
use OCP\Security\ISecureRandom;
use OCP\Server;
use OCP\Share\Exceptions\ShareNotFound;
use OCP\Share\IAttributes;
use OCP\Share\IPublicShareTemplateFactory;
use OCP\Share\IShare;
use PHPUnit\Framework\MockObject\MockObject;
@ -690,6 +691,34 @@ class ShareControllerTest extends \Test\TestCase {
$this->assertEquals($expectedResponse, $response);
}
public function testDownloadShareWithoutDownloadPermission(): void {
$attributes = $this->createMock(IAttributes::class);
$attributes->expects(self::once())
->method('getAttribute')
->with('permissions', 'download')
->willReturn(false);
$share = $this->createMock(IShare::class);
$share->method('getPassword')->willReturn('password');
$share->expects(self::once())
->method('getPermissions')
->willReturn(Constants::PERMISSION_READ);
$share->expects(self::once())
->method('getAttributes')
->willReturn($attributes);
$this->shareManager
->expects(self::once())
->method('getShareByToken')
->with('validtoken')
->willReturn($share);
// Test with a password protected share and no authentication
$response = $this->shareController->downloadShare('validtoken');
$expectedResponse = new DataResponse('Share has no download permission');
$this->assertEquals($expectedResponse, $response);
}
public function testDisabledOwner(): void {
$this->shareController->setToken('token');